Code-Based Post-Quantum Cryptography Wijik Lee 1 , Young-Sik Kim 2 , - - PowerPoint PPT Presentation

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 1 / 41

Code-Based Post-Quantum Cryptography

Wijik Lee1, Young-Sik Kim2, and Jong-Seon No1

1Department of ECE, INMC, Seoul National University, Seoul, Korea 2Chosun University, Gwangju, Korea

September 07, 2017

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 2 / 41

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 3 / 41 Introduction

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 4 / 41 Introduction

Quantum Computers

Practical large quantum computers are just around the corner, which are developed by government(NSA), EU, and large companies (Google, IBM). A 50 qubit quantum computer can do computation in 250 states at

• ne time. (almost same as supercomputer)

Recently, a 22 qubit quantum computer has been developed by Google. It is known that it can solve many hard problems for cryptography.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 5 / 41 Introduction

After Quantum Computers

Google says that quantum computer is expected to be used within 10 to 20 years from now. In quantum computer,

Factoring is easy (Shor’s algorithm).

Some researcher in Google says that 1024 bit RSA will be broken by quantum computer in 10 years (2027).

Search is also easy (Grover’s algorithm).

Can search 2n elements in time 2n/2.

After quantum computer, conventional cryptosystems are all dead.

RSA, DSA, ECDSA ECC, HECC etc.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 6 / 41 Introduction

Post-Quantum Cryptography

In general, cryptosystem is a mathematical algorithm. Quantum cryptography uses physical techniques instead of mathematical algorithm (function). Recently, one of quantum cryptography is implemented for a secret key distribution algorithm (quantum key distribution, QKD). Quantum cryptography needs direct connection between the quantum cryptography hardwares via optical fiber and satellite. Quantum cryptosystem generates kB of keystream per second on special hardware costing $50,000.

Conventional cryptosystem generates GB of keystream per second on a $200 CPU.

Post-quantum cryptography(PQC) is different from quantum cryptography. PQC is a mathematical algorithm, which is robust from quantum computer (quantum-resistant).

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 7 / 41 Introduction

Post-Quantum Cryptography

Types of post-quantum cryptography Code-based cryptography

1978 McEliece; hidden Goppa-code public-key encryption system.

Hash-based cryptography

1979 Merkle; hash-tree public-key signature system.

Multivariate-quadratic equation cryptography

1996 Patarin; “HFEV-” public key signature system.

Lattice-based cryptography

1998 “NTRU” 1996 “SIS” (SVP) 2005 “LWE” (CVP)

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 8 / 41 Introduction

Call for Proposal for Post-Quantum Cryptosystems

NIST announced Call for Proposal for post-quantum cryptosystems on August 2016. Deadline for proposals; November 2017 In the following three areas:

1

Encryption Algorithm

2

Digital Signature Algorithm

3

Key Encapsulation Mechanism (KEM)

First selection of the proposals for evaluation on March 2018. Popular PQCs

Lattice-based post-quantum cryptography Code-based post-quantum cryptography

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 9 / 41 Introduction

Code-Based Post-Quantum Cryptosystem

Code-based cryptosystem is one of the well-known post-quantum cryptosystems by McEliece (1978). G′ = SGP, G: generator matrix

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 10 / 41 Introduction

Code-Based Post-Quantum Cryptosystem

Encryption

Generator matrix G′ = SGP c = mG′ + e

Decryption

cP −1 = mSG + eP −1 mS is obtained by decoding. mSS−1 = m

There are many variant versions of code-based cryptosystem. We proposed the modification methods for the McEliece cryptosystems based on the punctured RM codes (Sidelnikov).

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 11 / 41 Introduction

Lattice-Based Post-Quantum Cryptosystem

Features of Lattice-Based Cryptography

Based on NP-hard problem

SVP (shortest vector problem) CVP (closest vector problem)

Seemingly very different assumptions from factoring, discrete log, and elliptic curves. Simple descriptions and implementations. Very parallelizable. Seems to resist quantum attacks. Security based on worst-case problems.

Great Advantages

Very strong security proofs. The schemes are fairly simple. Relatively efficient.

Major Drawback

Schemes have very large key size.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 12 / 41 Code-Based Post-Quantum Cryptography

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 13 / 41 Code-Based Post-Quantum Cryptography

Code-Based Post-Quantum Cryptography

Code-based post-quantum cryptosystems

McEliece cryptosystem by generator matrix of Goppa code, 1978 Niederreiter cryptosystem by parity check matrix of Goppa code, 1986

Code-based signature scheme

CFS signature scheme (Courtois, Finiasz, Sendrier, 2001)

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 14 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

In 1978, McEliece introduced a public key cryptosystem based on error correcting codes. The cracking problem for McEliece cryptosystem is the problem of syndrome decoding. Syndrome decoding problem Given parity check matrix H and syndrome s, find the minimum Hamming weight e, such that HeT = s. The problem of syndrome decoding is proven to be NP-hard.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 15 / 41 Code-Based Post-Quantum Cryptography

Goppa Code

Goppa code is a special case of alternant code.

• Definition. Alternant code

A q-ary alternant code of order r associated with x = (x1, · · ·, xn) ∈ F n

qm

where all xi’s are distinct and y = (y1, · · ·, yn) ∈ (F ∗

qm)n is defined as

Ar(x, y) = {c ∈ F n

q |Vr(x, y)cT = 0},

where Vr(x, y) =      y1 · · · yn y1x1 · · · ynxn . . . . . . y1xr−1

1

· · · ynxr−1

n

    

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 16 / 41 Code-Based Post-Quantum Cryptography

Goppa Code

• Definition. Goppa codes

A q-ary Goppa code G(x, γ) associated with a polynomial γ(z) = ∑r

i=0 γixi of degree r over Fqm and an n-tuple x = (x1, · · ·, xn)

• f distinct elements of Fqm satisfying γ(xi) ̸= 0 for all i, 1 ≤ i ≤ n, is the

q-ary alternant code Ar(x, y) with yi = γ(xi)−1. In McEliece cryptosystem, binary Goppa code is used (q = 2).

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 17 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

Based on binary Goppa code

Let C be a length n binary Goppa code Γ of dimension k with minimum distance 2t + 1, where t =

n−k log2n.

Original parameters: n = 1024, k = 524, t = 50.

There are no efficient structural attacks distinguishable between a permuted Goppa code used by McEliece and a random code.

Original parameter designed for 264 security. Recently, it is known that it should be 2128 security. Easily scale up for higher security.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 18 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

Key Generation Private key

G: k × n generator matrix of error correcting code (Goppa code). S: k × k scrambling matrix P: n × n permutation matrix. An efficient t-error correcting decoding algorithm for Goppa code.

Public key

G′ = SGP An error correcting capability t

Key size is very large.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 19 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

Encryption Encryption algorithm Input: message m, G′ Output: ciphertext c

1

Choose a random e ∈ {0, 1}n with Hamming weight at most t

2

Compute the ciphertext c = mG′ + e and send c.

Need efficient implementation for matrix multiplication. Need an appropriate random number generator.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 20 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

Decryption Decryption algorithm Input: ciphertext c, S, G, P, decoding algorithm Output: message m

1

Multiply P −1 as cP −1 = mSG + eP −1

2

Use decoding algorithm to decode cP −1 to mS

3

Recover m by multiplying S−1

Require operations in binary extension fields.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 21 / 41 Code-Based Post-Quantum Cryptography

McEliece Cryptosystem

Advantages

Robust to quantum computer (NP-hard problem). The encryption and decryption processes are fast. The encryption and decryption processes have a low complexity.

Disadvantages

The private and public keys are large matrices. The public key size is 100 kB to several MB.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 22 / 41 Code-Based Post-Quantum Cryptography

Niederreiter Cryptosystem

Proposed by Niederreiter in 1986, based on parity check matrix. Niederreiter cryptosystem is also based on the nature of the syndrome decoding problem being NP-hard. McEliece cryptosystem and Niederreiter cryptosystem are proven to be equivalent.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 23 / 41 Code-Based Post-Quantum Cryptography

Niederreiter Cryptosystem

Key Generation:

H: k × n parity check matrix S: k × k scrambling matrix P: n × n permutation matrix Private key: H, S, P Public key: H′ = SHP, error correcting capability t

Encryption: Message m is converted into a vector with Hamming weight less than or equal to t, called an error vector e in F n

2 . Alice

sends the ciphertext s′ = H′eT to Bob. Decryption: When Bob receives the ciphertext s′ and he multiply S−1 as S−1s′ = HPeT . Using decoding algorithm, Bob finds PeT and then recovers e by multiplying P −1. From the known algorithm, e is converted into m.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 24 / 41 Code-Based Post-Quantum Cryptography

Code-Based Signature Scheme

CFS signature scheme (Courtois, Finiasz, Sendrier, 2001)

CFS signature scheme is based on Niederreiter cryptosystem. Message is treated as a syndrome and signature is treated as an error.

h(m) : hashed massage. Find signature z such that H′z = h(m), where H′ is a parity check matrix.

Advantage

Signing time does not depend on n, k.

Disadvantage

The probability of finding decodable syndrome is

1 t!.

The private and public key sizes are large.

Other signature schemes have been broken, such as KKS, KKS variants, and CFS based on LDGM codes.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 25 / 41 Code-Based Post-Quantum Cryptography

Code-Based Signature Scheme

Key generation

Private key: (S, H, P), where S is a scrambling matrix and P is a permutation matrix. Public key: H′ = SHP, hash function h.

Signature

Find z such that H′z = h(h(m)|i). Initiallize i = 0. Do

si = Q−1h(h(m)|i) i ← i + 1

Until si decodable in H′z = si. s ← si, z ← P −1decode(s), decode(s) means finding Pz from H and s. Signature σ = (m, z, i)

Verification

Check wt(z) ≤ t Check h(h(m)|i) = H′zT .

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 26 / 41 Variants of Code-Based Post-Quantum Cryptography

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 27 / 41 Variants of Code-Based Post-Quantum Cryptography

Variants of McEliece Cryptosystem

To overcome the key size problem of McEliece cryptosystem, Use other codes

GRS code (broken) RM code (broken) LDPC, MDPC (still alive)

Modify the code structures to be survived.

Quasi cyclic: QC-LDPC, QC-MDPC, QC-LRPC Puncturing: punctured RM code (our work)

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 28 / 41 Variants of Code-Based Post-Quantum Cryptography

Variants of McEliece Cryptosystem (Our Work*)

RM code-based McEliece cryptosystem We find the exact number and locations of puncturing of the generator matrix of the original RM code to prevent the various known attacks. Further, we also modify it by puncturnig and random column insertion of generator matrix.

* Wijik Lee, Jong-Seon No, and Young-Sik Kim, “Punctured Reed-Muller code-based McEliece cryptosystems,” IET Communications, vol. 11, no. 10, pp. 1543−1548, July 2017.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 29 / 41 Variants of Code-Based Post-Quantum Cryptography

Variants of McEliece Cryptosystem (Our Work)

The proposed modification of RM code-based McEliece cryptosystem can be presented by the following three algorithms. Key Generation Private key

Set of column indices LD for puncturing Delete columns with indices in LD from G, which is denoted by GD. G: k × n generator matrix for Γ. S: k × k scrambling matrix P: (n − |LD|) × (n − |LD|) permutation matrix. An efficient t-error correcting decoding algorithm for Γ.

Public key

G′

D = SGDP

An error correcting capability t′ = ⌊t − |LD|/2⌋ of GD

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 30 / 41 Variants of Code-Based Post-Quantum Cryptography

Variants of McEliece Cryptosystem (Our Work)

Encryption Encryption algorithm Input: message m, G′

D

Output: ciphertext c

1

Choose a random e ∈ {0, 1}n−|LD| with Hamming weight at most t′

2

Compute the ciphertext c = mG′

D + e.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 31 / 41 Variants of Code-Based Post-Quantum Cryptography

Variants of McEliece Cryptosystem (Our Work)

Decryption Decryption algorithm Input: ciphertext c, S, G, P, decoding algorithm Output: message m

1

Multiply P −1 as cP −1 = mSGD + eP −1.

2

Insert the erasure mark ‘?’ in the jth positions, where j ∈ LD.

3

Use a decoding algorithm with erasures to decode cP −1 to mS.

4

Recover m by multiplying S−1.

Our proposed McEliece cryptosystem is further modified by puncturnig and random column insertion of the generator matrix.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 32 / 41 Security of Code-Based Post-Quantum Cryptography

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 33 / 41 Security of Code-Based Post-Quantum Cryptography

Security of the McEliece Cryptosystem

Attack on the McEliece cryptosystem

Information set decoding Finding low weight codeword

Attacks on McEliece cryptosystem using some codes other than Goppa code.

GRS, RM, polar codes, etc.

Semantic security

CCA2 (NIST requirement for encryption scheme) EUF-CMA (NIST requirement for signature scheme)

CCA2: adaptive chosen ciphertext attack EUF-CMA: existential unforgeability under chosen message attack

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 34 / 41 Security of Code-Based Post-Quantum Cryptography

Security of the McEliece Cryptosystem (Information Set Decoding)

Based on finding k-error free bits ck of ciphertext randomly.

An adversary chooses k-columns of G′ with error free indices of the ciphertext ck, denoted by G′

k.

Then, ck = mG′

k + ek with ek = 0.

Decryption is done by m = ck · (G′

k)−1.

Probability of choosing k error free bits is given as: (n − t k )/(n k ) Security of the McEliece cryptosystem (1024,524,50) 64 (2048,1751,27) 80 (6960,5413,119) 128

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 35 / 41 Security of Code-Based Post-Quantum Cryptography

Security of the McEliece Cryptosystem (Finding Low Weight Codeword)

The minimum weight codeword of the following (k + 1) × n matrix [ G′ c ] is the error vector, where c = mG′ + e. By using the Stern’s algorithm, we can find the minimum weight codeword of the matrix. The original parameters (n, k, t) = (1024, 524, 50) have the work factor of 264.2.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 36 / 41 Security of Code-Based Post-Quantum Cryptography

Security of the McEliece Cryptosystem

Using some code other than Goppa code-based McEliece cryptosystem are almost broken as follows. GRS code (1992)

Sidelnikov’s attack (1992) Wieschebrink’s attack (2010)

RM code (1994)

Minder-Shokrollahi’s attack (2007) Chizhov-Borodin’s attack (2013) RM code with random insertion; square code attack (2015)

Polar code (2014)

Bardet’s attack (2016)

Algebraic geometry codes and their subcodes (1996)

Couvreur’s attack (2017)

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 37 / 41 Security of Code-Based Post-Quantum Cryptography

Security for PQC by Modified RM Code (Our Work)

By puncturnig method, we can prevent Minder-Shokrollahi’s attack and Chizhov-Borodin’s attack. By puncturnig and random insertion methods, we can also prevent square code attack.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 38 / 41 Security of Code-Based Post-Quantum Cryptography

Semantic Security

It is required by NIST for proposed PQC encryption algorithms. Security for indistinguishability and non-malleability. CCA2 (indistinguishability under adaptive chosen ciphertext attack) CCA2

1

Challenger runs KeyGen and obtain (private key, public key). Adversary

• btains only public key.

2

The adversary can query polynomial number of decryption to decryption

• racle (at any step).

3

The adversary submits two distinct chosen plaintexts m0, m1.

4

Challenger chooses b ∈ {0, 1} and sends c = Enc(mb) to the adversary.

5

If adversary guesses the value b correctly without quering c to decryption

• racle, attack is successful.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 39 / 41 Security of Code-Based Post-Quantum Cryptography

Semantic Security

It is required by NIST for proposed PQC signature schemes. EUF-CMA is the signature version of CCA2. EUF-CMA (existential unforgeability under chosen message attack) EUF-CMA

1

Challenger runs KeyGen and obtains (private key, public key). Forger

• btains only public key.

2

Forger can query polynomial number of messages to signature oracle (and hash oracle).

3

If forger can generate message signature pair (m, σ), then attack is successful.

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 40 / 41 Conclusions

Outline

1

Introduction

2

Code-Based Post-Quantum Cryptography

3

Variants of Code-Based Post-Quantum Cryptography

4

Security of Code-Based Post-Quantum Cryptography

5

Conclusions

September 07, 2017 Seoul National Univ., Seoul, Korea

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mathematical Methods for Cryptography 2017, Svolvaer, Lofoten, Norway 41 / 41 Conclusions

Conclusions

With the development of quantum computers, conventional cryptosystems become vulnerable and thus post-quantum cryptosystems are required. Code-based cryptography is one of the post-quantum cryptosystems and we present some code-based cryptosystems and their security property. We proposed the secure modification methods for the McEliece cryptosystems based on the punctured RM codes.

September 07, 2017 Seoul National Univ., Seoul, Korea